ISO/IEC 27701:2019 – Privacy Management Systems

A blue lock pixelated graphic representing ISO/IEC 27701:2019 for Privacy Information Management (PII).

Like a shadow of pixels, your digital presence is an extension of you. Unfortunately in the first six months of 2019 alone, there were over 3,800 publicly disclosed data breaches, exposing 4.1 billion compromised records. To combat these dangers, numerous international standards offer support.

Like your digital presence, ISO/IEC 27701:2019 is an extension. Dealing with personally identifiable information (PII), or “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means,” this international standard exists as an extension to two other international standards on information security.

Applicable to organizations of all types and sizes, ISO/IEC 27701:2019 specifies guidance for establishing, implementing, maintaining, and continually improving a Privacy Management System in the form of an extension to ISO/IEC 27001:2022 and ISO/IEC 27002:2022.

Covering guidance for PII controllers and PII processors, ISO/IEC 27701:2019 includes mapping to the privacy framework and principles defined in ISO/IEC 29100, ISO/IEC 27018, ISO/IEC 29151, and the European Union General Data Protection Regulation (GDPR).

That was a lot of name drops for international standards, so, for the remainder of this post, we will provide a brief overview for each.

ISO/IEC 27001

One of the better known information security standards, ISO/IEC 27001:2022 is intended to preserve the confidentiality, integrity, and availability of an organization’s data by specifying state-of-the-art practices for an information security management system (ISMS). A strategic decision for the organization, an ISMS is fully compatible with other ISO management system standards, as it contains similar concepts and the shared Annex SL.

ISO/IEC 27002

Building off the ISMS specified in part one, ISO/IEC 27002:2022 offers a code of practice for information security controls, including the selection, implementation, and management of controls. This considers the organization’s information security risk environment.

In addition to selecting processes, this international standard can be used by organizations to implement commonly accepted security controls and develop their own information security management guidelines. In all, the standard contains 14 security control clauses, collectively comprising a total of 35 main security categories and 114 controls. Areas covered include asset management, operations security, and cryptography, among others.

General Data Protection Regulation (GDPR)

As it has already been mentioned, we should detail the General Data Protection Regulation (GDPR). This law went into effect May 25, 2018, replacing the European Union Data Protection Directive 95/46/EC, and it has waged a substantial effect on the way companies can process data. GDPR was enacted to protect EU citizens from privacy and data breaches.

GDPR applies to all companies processing the personal data of data subjects residing in the EU, and it is crucial to stress that it applies to the processing of personal data of all data subjects in the EU, even if the controller or processor is not based in the EU.

Since it was first approved by the EU Parliament on April 14, 2016, a multitude of organizations worldwide have tweaked their digital presence in a unified manner. Their incentive to adhere to the regulation: severe penalties. In fact, organizations in breach of GDPR can be fined up to 4% of their annual global turnover or €20 Million, whichever value is greater.

If you want to learn more about GDPR, check out or the official EU commission website on EU data protection rules.

As for its association with international standards, while the ISO/IEC 27000 series predated GDPR, the massive legislation has placed newfound value on the standards for information security management systems, since their guidance can aid organizations in the compliance process.

ISO/IEC 29100

Hopping back to standards in the ISMS area, there’s ISO/IEC 29100:2011, which deals with an information technology privacy framework. The framework outlined in this standard meets a few primary goals, including specifying a common privacy terminology, defining the actors and their roles in processing PII, describing privacy safeguarding considerations, and providing references to known privacy principles for information technology.

ISO/IEC 27018

Another entry in the 27000 series, ISO/IEC 27018:2019 deals with PII—specifically, it sets commonly accepted objectives, controls, and guidelines for implementing measures meant to protect PII. When a public cloud service provider processes PII for and according to the instructions of a cloud service customer, it is a “PII processor.” For these users, the standard offers comprehensive guidelines for physical and environmental security, operations security, communications security, and other pertinent subjects.

You can read more about this standard in our post on ISO/IEC 27018:2019 – Code Of Practice For Protecting Personally Identifiable Information (PII) In Public Clouds.

ISO/IEC 29151

Published as both international standard ISO/IEC 29151:2017 and International Telecommunication Union Recommendation Rec. ITU-T X.1058, this document establishes control objectives, controls, and guidelines for implementing controls to meet a risk and impact assessment associated with protecting PII.

Standards Packages Make Information Security Easier

This post is gravid with standards. Seemingly, it can be daunting for organizations who need to sufficiently process personally identifiable information to gather and follow all this guidance. Fortunately, ANSI has bundled ISO/IEC 27701:2019 – Security Techniques – Extension To ISO/IEC 27001 And ISO/IEC 27002 For Privacy Information Management – Requirements And Guidelines together with most of the standards detailed throughout this post. The following standards packages, which come at a discount, are available on the ANSI Webstore:

Privacy Information in Public Clouds Package

IT Privacy Information System Package

IT Security Techniques Privacy Information Package

ANAB ISO/IEC 27701 Accreditation

As this standard has become the benchmark for privacy management systems, organizations, to demonstrate compliance with its requirements, will seek out certification to the standard. To demonstrate credibility, these and other management systems certification bodies, benefit greatly from ANSI National Accreditation Board (ANAB) accreditation.

You can learn more about Accreditation for ISO/IEC 27701 Privacy Information Management Systems Certification Bodies here.

Share this blog post:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.